ansaurus

Question

Why are passwords with repeating substrings weak?

Answer 1

A:

My guess is it can generate a more "obvious" hash.

For example abba -> a737y4gs, but abbaabba -> 1y3k1y3k , granted this is a silly example, but the idea is that repeating patterns in key would make hash appear less "random".

Sint 2009-08-25 11:43:46

Doubt it. Hash functions usually don't work that way :-)

Joey 2009-08-25 11:44:37

Aren't hash functions made to generate very different output for similar inputs?

Darth 2009-08-25 11:45:20

As I said, this is a silly example. :) No hash functions would be that weak. Then again..

Sint 2009-08-25 11:48:09

Hash functions (that are used for password hashes atleast) are designed to generate very different results for all inputs, and have non-predictable results for changed inputs.

Matthew Scharley 2009-08-25 11:48:35

Then again, there are (CRC32, etc). They aren't designed for hashing passwords though, they are designed as quick sanity checks. MD5, SHA*, etc are the hashes generally used for password hashing, and display the properties I described.

Matthew Scharley 2009-08-25 11:49:57

Answer 2

+2 A:

I guess because you need to type your password two times by using the keyboard, so for that maybe if some one is in front of you can notice it.

Wael Dalloul 2009-08-25 11:47:10

Answer 3

+9 A:

Sounds like the password strength checker is flawed. It's not a big issue, I suppose, but a repeated strong password is not weaker than the original password.

Eamon Nerbonne 2009-08-25 11:47:53

It’s rather the opposite: The longer the passwort, the stonger it is.

Gumbo 2009-08-25 12:14:23

After a certain point (that's constantly moving with hardware capabilities, but that I'd estimate at around 8 characters at the moment, sans parallel computing) it becomes no more secure (in practical terms), since it can't be brute forced anyway. Other attack vectors ignore the input length either because they don't try to recreate the input, or because they try to work backwards from the output. Or because they go after you, the user to tell the bad person the password.

Matthew Scharley 2009-08-25 12:17:42

The entropy of a password is likely to be only a few bits per letter, so, to be safe, I'd place the minimum secure length a little higher - say, around 11 characters (and even with excellent strength-per char at least 7 characters). In any case, your point is well taken; a reasonably strong password is virtually unguessable, if it's broken, it's not by brute force even *if* the attacker has the password's hash.

Eamon Nerbonne 2009-08-25 12:32:33

Of course, most users won't have a reasonable intuition of the overall entropy of their password, so a password strength estimator - if it would work - isn't really a bad idea.

Eamon Nerbonne 2009-08-25 12:40:08

Answer 4

+3 A:

My guess is that it's simply trivial to check for someone attacking your password. Trying each password doubled and tripled too is only double or triple the work. However, including more possibly characters in a password, such as punctuation marks, raises the complexity of brute-forcing your password much more.

However, in practice, nearly every non-obvious (read: impervious to dictionary attacks [yes, that includes 1337ifying a dictionary word]) password with 8 or more characters can be considered reasonably secure. It's usually much less work to social engineer it from you in some way or just use a keylogger.

Joey 2009-08-25 11:48:33

Answer 5

+2 A:

The algorithm is broken.

Either uses a doublet detection and immediately writes it off as bad. Or calculates a strength that is in some way relative to the string length, and the repeated string is weaker than the comparable totally random string of equal length.

kaizer.se 2009-08-25 11:48:45

Answer 6

+1 A:

It might be a flaw by the password trength checker - it recognises a pattern... A pattern is not good for a password, but in this case it is a pattern on a complex string... Another reason can be the one pointed out by answer from Wael Dalloul : Someone can see the repeated text when you type it. Any spies have two chances of seeing what you type...

awe 2009-08-25 11:53:51

Answer 7

A:

Whilst in practice the longer one is probably stronger, I think there may be potential weaknesses when you get into the nitty gritty of how encryption and ciphers work... possibly...

Other than that, I'd echo the other responses that the strength-checker you're using isn't taking all aspects into account very accurately.

Just a thought...

2009-08-25 12:21:33

Answer 8

+1 A:

The best reason that I could think of, comes from the Electronic Authentication Guide, published by NIST. It gives a general thumb rule on how to estimate entropy in a password.

Length is just one criteria for entropy. There is the password character set that is also involved, but these are not the only criteria. If you read Shannon's research on user selected passwords closely, you'll notice that higher entropy is assigned to initial bits, and and lesser entropy to the latter, since it is quite possible to infer the next bits of the password from the previous.

This is not to say that longer passwords are bad, just that long passwords with a poor selection of characters are just as likely to be weak as shorter passwords.

Vineet Reynolds 2009-08-25 12:53:42

ansaurus

tags:

views:

answers:

Why are passwords with repeating substrings weak?

related questions